Data Protection Bill and GDPR

3 May 2018

The General Data Protection Regulation (GDPR) will come into force on 25 May. The Data Protection Bill, which is still going through Parliament, updates data protection laws in the UK and supplements the GDPR.

Overview of concerns

The Optical Confederation and other bodies representing primary care providers have serious concerns that the Bill, as currently drafted, defines all primary care providers as ‘public authorities’, which will require them to appoint a statutory Data Protection Officer (DPO) purely on that basis.

The GDPR itself only requires an organisation to appoint a DPO if it is a genuine public authority, or processes sensitive data, such as healthcare data, “on a large scale”. This requirement was not intended to capture primary care providers as a matter of course, and in the case of providers that don’t process data on a large scale, is simply not needed.

Amendment

Liberal Democrat MP Christine Jardine has tabled an amendment which, if passed, would exempt primary care providers from the Bill’s definition of ‘public authorities’, and therefore the blanket requirement to appoint a DPO. This has been supported by Labour MP Julie Cooper. Larger primary care providers that process sensitive patient data on a large scale will be required to appoint a DPO under the GDPR, regardless of the Bill, and this amendment will not change that.The amendment is due to be considered as the Bill goes to report stage on 9 May.

Tweet your MP

We are calling on members to help build support for the amendment by tweeting the following and tagging your MP in the tweet:

‘[.tag name] I am a constituent and I’m calling on you to support amendment 19 to the #DataProtectionBill , to prevent small primary care providers from the unnecessary requirement to appoint a DPO. A briefing with further information can be found here: https://tinyurl.com/y7qzh8sr